From a5667f79831f60a33abd284bdc6f198e5a1fbe49 Mon Sep 17 00:00:00 2001
From: Guillaume Charest <1690085+gcharest@users.noreply.github.com>
Date: Fri, 19 Apr 2024 14:22:54 -0400
Subject: [PATCH] fix: add permissions to workflow to put object in target
 bucket (#467)

* fix: add permissions to workflow to put object in target bucket

* feat:  GitHub OIDC role to fix the geodb permissions

* fix: var billing value
---
 .github/workflows/refresh_geodb.yml |  7 ++++++
 terraform/oidc_roles.tf             | 38 +++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 terraform/oidc_roles.tf

diff --git a/.github/workflows/refresh_geodb.yml b/.github/workflows/refresh_geodb.yml
index 22f762f0..75c76455 100644
--- a/.github/workflows/refresh_geodb.yml
+++ b/.github/workflows/refresh_geodb.yml
@@ -17,6 +17,13 @@ jobs:
         aws-secret-access-key: ${{ secrets.AWS_S3_BACKUP_SECRET_ACCESS_KEY }}
         aws-region: ca-central-1
 
+    - name: Configure aws credentials using OIDC
+      uses: aws-actions/configure-aws-credentials@master
+      with:
+        role-to-assume: arn:aws:iam::283582579564:role/geodb_refresh_role
+        role-session-name: SREBotGitHubActions
+        aws-region: "ca-central-1"
+
     - name: Download GeoDB and update to bucket
       run: |
         wget -O GeoLite2-City.tar.gz "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${{ secrets.MAXMIND_LICENSE }}&suffix=tar.gz"
diff --git a/terraform/oidc_roles.tf b/terraform/oidc_roles.tf
new file mode 100644
index 00000000..657bc80b
--- /dev/null
+++ b/terraform/oidc_roles.tf
@@ -0,0 +1,38 @@
+locals {
+  geodb_name = "geodb_refresh_role"
+}
+
+module "gh_oidc_roles" {
+  source   = "github.com/cds-snc/terraform-modules//gh_oidc_role?ref=v7.0.2"
+  org_name = "cds-snc"
+  roles = [
+    {
+      name      = local.geodb_name
+      repo_name = "sre-bot"
+      claim     = "ref:refs/heads/main"
+    }
+  ]
+
+  billing_tag_value = var.billing_code
+
+}
+
+# policy to allow publishing techdocs to S3 bucket
+data "aws_iam_policy_document" "publish_techdocs" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+      "s3:PutObject",
+      "s3:DeleteObject",
+      "s3:DeleteObjectVersion",
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.sre_bot_bucket.s3_bucket_arn}/*",
+      "${module.sre_bot_bucket.s3_bucket_arn}"
+    ]
+  }
+}